Major Incidents or Breaches

  • Sensata Technologies confirmed a data breach following an April ransomware attack, with personal data of current and former employees compromised.
  • United Natural Foods (UNFI), North America’s largest publicly traded grocery wholesaler, experienced a cyberattack that forced the shutdown of some systems.
  • Data stolen from Ticketmaster during the 2024 Snowflake data theft attacks was briefly relisted for sale by the Arkana Security extortion group, but no new breach is indicated.
  • SentinelOne disclosed new details about an attempted supply chain attack by Chinese hackers, targeting the company through an IT services and logistics provider.

Newly Discovered Vulnerabilities

  • Over 84,000 instances of Roundcube webmail remain vulnerable to CVE-2025-49113, a critical remote code execution vulnerability with a public exploit, which is being actively exploited.
  • CISA added critical vulnerabilities in Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities Catalog.
  • A now-patched critical flaw in Wazuh Server has been exploited in the wild by threat actors deploying two different Mirai botnet variants for DDoS attacks.
  • A Google account vulnerability allowed brute-forcing of recovery phone numbers using only a profile name and partial number; the issue has been patched.

Notable Threat Actor Activity

  • The Librarian Ghouls APT continues targeting Russian entities, using RAR archives and BAT scripts to steal data and deploy cryptominers, often leveraging legitimate tools and executing attacks at night to evade detection.
  • Chinese state-linked threat groups APT15 and UNC5174 (also referenced as “PurpleHaze”) targeted SentinelOne and more than 70 other organizations across multiple sectors between July 2024 and March 2025, focusing on cyber-espionage and supply chain attacks.
  • The criminal group UNC6040 is conducting vishing (voice phishing) campaigns to compromise Salesforce instances, according to Google Threat Intelligence Group.
  • A global spear-phishing campaign is targeting CFOs with fraudulent employment offers, aiming at financial executives worldwide.
  • OpenAI has banned ChatGPT accounts linked to nation-state threat actors, citing use for malicious activities including social engineering, employment fraud, and cyber espionage.

Trends, Tools, or Tactics of Interest

  • Multiple botnets are exploiting the Wazuh Server vulnerability to deploy Mirai-based DDoS attacks, demonstrating ongoing interest in IoT botnet infrastructure.
  • Security researchers highlight that SIEMs are missing coverage for many MITRE ATT&CK techniques, with a significant proportion of detection rules non-functional.
  • Shadow IT risks persist despite IdP or CASB controls, with free trials, third-party AI tools, and personal accounts presenting ongoing exposure.
  • AI coding tools are increasing enterprise risk by enabling insecure code generation, as developers adopt new workflows with insufficient security oversight.
  • The Linux Foundation has launched the FAIR Package Manager, a decentralized and independent distribution system for trusted WordPress plugins.

Regulatory or Policy Developments

  • A new Trump administration cybersecurity order has reversed certain Biden and Obama-era priorities, including limits on cyber sanctions, termination of the digital ID program, and a refocus on enabling AI, deploying post-quantum cryptography, and promoting secure software development.